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CN I Abstract 

^ . A model of computer system security operation is developed based 

| on the fork-join queueing network formalism. We introduce a security 

operation performance measure, and show how it may be used to per- 
' formance evaluation of actual systems. 
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u 

q ■ 1 Introduction 

The explosive growth in computer systems and networks has increased the 
t> . role of computer security within organizations pQ. In many cases, ineffective 

protection against computer security treats leads to considerable damage, 
' and even can cause an organization to be paralized. Therefore, the de- 

■ velopment of new models and methods of performance analysis of security 

CN \ systems seems to be very important. 

In this paper, we propose a model of computer security operation, and 
introduce its related performance measure. It is shown how the model can 
be applied to performance evaluation of actual systems. Finally, a tech- 
nique of security system performance analysis is described and its practical 
implementation is discussed. 

We conclude with an appendix which contains technical details concern- 
ing fork-join network representation of the model, and related results. 
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2 A Security Operation Model 



In this paper, we deal with the current security activities (see Fig. [T]) that 
mainly relate to the actual security threats rather than to strategic or long- 
term issues of security management. 
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Figure 1: Computer systems security activities. 



Consider the model of security operation in an organization, presented in 
Fig. [2J Each operational cycle starts with security attack detection based on 
audit records and system/errors log analysis, traffic analysis, or user reports. 
In order to detect an intrusion, automated tools of security monitoring are 
normally used including procedures of statistical anomaly detection, rule- 
based detection, and data integrity control p]. 
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Figure 2: A security analysis and maintenance model. 

After security attack detection and identification, the integrity of sys- 
tem/application software and data in storage devices has to be examined 
to search for possible unauthorized modifications or damages made by the 
intruder. The investigation procedure can exploit file lists and checksum 
analysis, hash functions, and other automated techniques. 

In parallel, the system vulnerabilities, which allow the intruder to attack, 
should be identified and investigated. The vulnerability analysis normally 
presents an informal procedure, and therefore, it can hardly be performed 
automatically. 

Based on the results of integrity analysis, a software and data recovery 
procedure can be initiated using back-up servers and reserving storage de- 
vices. It has to take into account the security vulnerabilities identified at 
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the previous step, so as to provide for further improvements in the entire 
security system. 

Along with the recovery procedure, the development of a complete set of 
countermeasures against similar attacks should be performed. Finally, the 
operational cycle is concluded with appropriate modifications of software, 
data bases, and system security policies and procedures. 

We assume that the organization has appropriate personnel integrated in 
a Computer Emergency Response Team, available to handle the attack. The 
team would include at least two subteams working in parallel, one to perform 
integrity analysis and recovery procedures, and another to do vulnerability 
analysis and development of countermeasures. At any time instant, each 
subteam can deal with only one security incident. Any procedure may be 
started as soon as all prior procedures according to the model in Fig. [2J 
have been completed. If a request to handle a new incident occurs when a 
subteam is still working on a procedure, the request has to wait until the 
processing of that procedure is completed. 

We denote by a random variable (r.v.) that represents the time inter- 
val between detections of the A:th attack and its predecessor. Furthermore, 
we introduce r.v.'s , i = 2, . . . , 6, to describe the time of the kth instant 
of procedure i in the model. We assume th^tm, . . . , to be independent and 
identically distributed (i.i.d.) r.v.'s with finite mean and variance for each 
i, i = 1, ... ,6. At the same time, we do not require of independence of 
rife, ... , r 6fc for each k, k = 1, 2, . . . . 

3 Security Operation Performance Evaluation 

In order to describe system performance, we introduce the following nota- 
tions. Let T a be the mean time between consecutive security attacks (the 
attack cycle time), and T$ be the mean time required to completely handle 
an attack (the recovery cycle time), as the number of attacks k tends to oo. 

In devising the security operation performance measure, one can take 
the ratio 

R = T S /T A . 

With the natural condition Tg < Ta, one can consider R as the time 
portion the system is under recovery, assuming k — > oo . 

First note that the attack cycle time can immediately be evaluated as 
the mean value: Ta = E[rn] . 

Now consider the cycle time of the entire system, which can be defined 
as the mean time interval between successive completions of security system 
modification procedures as the number of attacks k — > oo . As one can prove 
(see Appendix for further details), the system cycle time 7 can be calculated 
as 

7 = max{E[rn], . . . ,E[r 6 i]}. 
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In order to evaluate the recovery cycle time, we assume the system will 
operate under the maximum traffic level, which can be achieved when all the 
time intervals between attacks are set to 0. Clearly, under that condition, 
the system cycle time can be taken as a reasonable estimate of the recovery 
cycle time. 

Considering that now E[rn] = 0, we get the recovery cycle time in the 
form 

T 5 = max{E[r 2 i],...,E[r 61 ]}. 

4 Performance Analysis and Discussion 

In fact, the above model presents a quite simple but useful tool for security 
system operation management. It may be used to make decision on the 
basis of a few natural parameters of the security operation process. 
Let us represent the ratio R in the form 

R = max{E[r 2 i], . . . , E[t 61 ]}/E[th], 

and assume the attack rate determined by E[rn] , to be fixed. 

Taking into account that the above result has been obtained based on 
the assumption of an infinite number of attacks, we arrive at the follow- 
ing conclusion. As the number of attacks becomes sufficiently large, the 
performance of the system is determined by the time of the longest proce- 
dure involved in the system operation, whereas the impact of the order of 
performing the procedures disappears. 

It is clear that in order to improve system performance, the system 
security manager (administrator) should first concentrate on decreasing the 
mean time required to perform the longest procedure within the security 
operation model, then consider the second longest procedure, and so on. 
The goal of decreasing the time can be achieved through partition of a 
whole procedure into subprocedures, which can be performed in parallel, or 
through rescheduling of the entire process with redistribution of particular 
activities between procedures. 

In practice, the above model and its related ratio R can serve as the basis 
for efficient monitorization of organizational security systems. Because the 
introduction of new countermeasures may change the attack cycle time, the 
monitoring requires updating this parameter after each modification of the 
system. 

Finally note, the above model can be easily extended to cover security 
operational processes, which consist of different procedures and precedence 
constraints. 
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Appendix 



In order to describe the above security system operational model in a formal 
way, we exploit the fork-join network formalism proposed in [2]. 

The fork-join networks present a class of queueing systems, which allow 
for splitting a customer into several new customers at one node, and of merg- 
ing customers into one at another node. In order to represent the dynamics 
of such networks, we use a (max, +) -algebra based approach developed in 
®. 

The (max, +) -algebra is a triple (i? £ ,0,<8>), where R £ = R U {e} with 
e = — oo. The operations and <8> are defined for all x,y 6 R £ as 

x y = max(x, y), x <S> y = x + y. 

The (max, +) -algebra of matrices is introduced in the ordinary way with 
the matrix 8 with all its entries equal e, taken as the null matrix, and 
the matrix E = diag(0, ... ,0) with its off-diagonal entries equal e, as the 
identity. 

We introduce the vector x(k) = (x\(k), . . . , x n {k)) T as the A;th ser- 
vice completion times at the network nodes, and the diagonal matrix Tk = 
diag(rifc, . . . , T n k) with given nonnegative random variables Tit representing 
the fcth service time at node i, i = and the off-diagonal entries 

equal e. 

The dynamics of acyclic fork-join networks can be described by the 
stochastic difference equation (see [3] for further details) 

p 

x(k) = A{k) ® x(k - 1), A(k) = (${T k ®G T ) j ®T k , (1) 

where G is a matrix with the elements 

J 0, if there exists arc in the network graph, 
^ \ £, otherwise, 

and p is the length of the longest path in the graph. 

The matrix G is normally referred to as the support matrix of the net- 
work. Note that since the network graph is acyclic, we have G q = £ for all 
q>p. 

The cycle time of the network is defined as 

7 = lim || a; (A;) ||, 

k— >oo 

where ||a;(A;)|| = maxjXj(A;). Clearly, if this limit exists, it can be found as 
limfc^oo ||.Afc || , where A k = A(k) <g> ■ ■ ■ ® A(l) . 

As it is easy to see, the fork-join network representation of the above 
security operation model takes the form presented in Fig. [3j 
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Figure 3: The fork-join queueing network model. 



For the network graph, we have p = 3. Therefore, we get equation (J^) 

with A(k) = (e e r fc ® g t e (T fc ® g t ) 2 ) e (T fc ® g t ) 3 ) ® r fe . 

Let us consider an arbitrary fork-join queueing network with n nodes, 
which is governed by equation ([1]). We assume that the matrix G at ([1]) 
has the upper triangular form. Since the network graph is acyclic, the 
network nodes can always be renumbered so that the matrix G become 
upper triangular. 

Now we describe a tandem queueing system associated with the above 
network. We assume the evolution of the tandem system to be governed by 
the equation 

n 

x (k) = B{k) ® x (k - 1), B(k) = 0(T fc <g> H T ) j <g> %, 

j=0 

where H is a support matrix with the elements 

h- ={ °' [U + 1= i> 

%3 \ £, otherwise. 

Note that both matrices A{k) and B{k) are determined by the common 
matrix Tk , but different support matrices G and H . Clearly, the longest 
path in the graph associated with the tandem queue is assumed to be equal 
n. 

Lemma 1. For all k = 1, 2, . . . , it holds that A(k) < B{k) . 

Proof: As it is easy to verify, for any integer q > 0, it holds 

G q < H®H 2 ®---@H n . 

Furthermore, since Tk has only nonnegative entries on the diagonal, we 
have for any q > 1, 

H q ®T k <(H® Tkf- 
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By applying the above inequalities together with the condition that 
H m = £ for all m > n, we arrive at the inequality 

(G ® T k ) q <(H® T k ) ®(H® %f © • ■ • © (H ® T k ) n . 

Taking into account that the last inequality is valid for all q > 0, we 
have 

p n 

r t 8$(G® %y <r t ®©(ff® %y. 

3=0 3=0 

It remains to transpose the both side of the inequality to get the desired 
result. 

By applying the above lemma together with the result in [4j, one can 
prove the following statement. 

Lemma 2. Suppose that for the acyclic fork-join queueing network, the 
random variables Tn,Ti2, . . . , are i.i.d. for each i = 1, . . . , n with finite mean 
E[rji] > and variance T)[th]. Then the cycle time 7 can be evaluated as 

7 = max{E[r n ], . . . ,E[r„i]}. 
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